CVE-2026-32003

OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion.

OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion.

### Summary `system.run` allowed `SHELLOPTS` + `PS4` environment injection to trigger command substitution during `bash -lc` xtrace expansion before the allowlisted command body executed. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.21-2` (includes latest published npm version at triage time) - Patched (planned next release): `2026.2.22` ### Impact In `allowlist` mode, an attacker who can invoke `system.run` with request-scoped `env` could execute additional shell commands outside the intended allowlisted command body. ### Root Cause Host exec env sanitization blocked startup-file vectors (`BASH_ENV`, `ENV`, etc.) but did not block `SHELLOPTS`/`PS4`. For shell wrappers (`bash|sh|zsh ... -c/-lc`), request env overrides were passed through and `bash` evaluated `PS4` under `xtrace`, enabling command substitution. ### Fix - Block `SHELLOPTS` and `PS4` in host exec env sanitizers (Node + macOS). - For shell wrappers (`bash|sh|zsh ... -c/-lc`), reduce request-scoped env overrides to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`). - Add regression tests for TS and macOS paths. ### Fix Commit(s) - `e80c803fa887f9699ad87a9e906ab5c1ff85bd9a` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, advisory publication is a final state action only. ### Severity Rationale This advisory is rated **medium** because exploitation requires a caller that can already invoke `system.run` with request-scoped `env`. Under OpenClaw's documented trust model (`SECURITY.md`), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope. The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions. OpenClaw thanks @tdjackey for reporting.

### Summary `system.run` allowed `SHELLOPTS` + `PS4` environment injection to trigger command substitution during `bash -lc` xtrace expansion before the allowlisted command body executed. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.21-2` (includes latest published npm version at triage time) - Patched (planned next release): `2026.2.22` ### Impact In `allowlist` mode, an attacker who can invoke `system.run` with request-scoped `env` could execute additional shell commands outside the intended allowlisted command body. ### Root Cause Host exec env sanitization blocked startup-file vectors (`BASH_ENV`, `ENV`, etc.) but did not block `SHELLOPTS`/`PS4`. For shell wrappers (`bash|sh|zsh ... -c/-lc`), request env overrides were passed through and `bash` evaluated `PS4` under `xtrace`, enabling command substitution. ### Fix - Block `SHELLOPTS` and `PS4` in host exec env sanitizers (Node + macOS). - For shell wrappers (`bash|sh|zsh ... -c/-lc`), reduce request-scoped env overrides to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`). - Add regression tests for TS and macOS paths. ### Fix Commit(s) - `e80c803fa887f9699ad87a9e906ab5c1ff85bd9a` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, advisory publication is a final state action only. ### Severity Rationale This advisory is rated **medium** because exploitation requires a caller that can already invoke `system.run` with request-scoped `env`. Under OpenClaw's documented trust model (`SECURITY.md`), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope. The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions. OpenClaw thanks @tdjackey for reporting.

Las versiones de OpenClaw anteriores a 2026.2.22 contienen una vulnerabilidad de inyección de variables de entorno en la función system.run que permite a los atacantes eludir las restricciones de la lista de comandos permitidos a través de las variables de entorno SHELLOPTS y PS4. Un atacante que pueda invocar system.run con variables de entorno de ámbito de solicitud puede ejecutar comandos de shell arbitrarios fuera del cuerpo del comando permitido previsto mediante la expansión xtrace de bash.